National Defense provides authoritative, non-partisan coverage of business and technology trends in defense and homeland security. A highly regarded news source for defense professionals in government and industry, National Defense offers insight and analysis on defense programs, policy, business, science and technology. Special reports by expert journalists focus on defense budgets, military tactics, doctrine and strategy.

Personal Devices Pose Challenge for Defense Department Security

The proliferation of smartphones has caused a dramatic shift in how hackers target the Defense Department and its industrial base, cybersecurity company officials said.

Instead of going after an organization’s infrastructure, such as servers and firewalls, hackers are infiltrating employees’ personal smartphones and laptops, which usually aren’t as hardened.

“It’s so much easier for the Chinese to hack the CEO of Lockheed [Martin]or the development group of Boeing’s engineers’ personal devices” than to hack the companies’ networks, said Mike Janke, chief executive officer and co-founder of Silent Circle, a National Harbor, Md.-based company that offers a suite of encryption technologies.

Even without Defense Department permission, uniformed and civilian personnel have been using their personal devices during deployments to communicate with family members or conduct business, Janke said. As the Pentagon considers employing a “bring your own device” strategy, hackers increasingly may view smartphones as easy targets.

Hackers could put malicious code on smartphone applications that target service members, said Michael Markulec of Lumeta Corp., a Somerset, N.J.-based developer of network detection software.

“So now the soldier takes that phone … and then uses that app on a WiFi network inside of the military network,” he said. “They launch that app, that piece of malware is then introduced into the network, and you have a potential problem.”

Lumeta currently is rolling out software that would allow all of the Defense Department’s networks to track what devices are connected to it, but there are other methods the department might use to secure personal devices themselves, Markulec said.

One way would be to upload some kind of security agent to a mobile device that monitors applications, much like anti-virus software on a computer. Another is to disable certain functions on the device when it is connected to Defense Department networks, he said.

Silent Circle takes a different approach. Rather than securing the device or network, it protects the data going back and forth between devices. The subscription-based smartphone service can be used to encrypt conversations, video and texts between two Silent Circle users.

To use the service, the subscriber downloads an application on their iPhone or Android.
When one Silent Circle user calls another, the two smartphones exchange a shared encryption key that is automatically destroyed at the end of the call.

This “peer-to-peer” method of encryption contrasts with the more commonly used “server-side” approach, where data is encrypted once it reaches the server. The problem with that is the server can be wiretapped or hacked, Janke said.

Related Articles

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.